Security Vulnerabilities in SAP Systems

Over the past year, I have hacked into SAP systems more than 20 times. Of course, as an ethical hacker, as part of security testing. I regularly observe how vulnerabilities in SAP – especially those with the highest possible criticality level, CVSS 10 – pose a real threat to business. CVSS 10 is not just an abstract label. It is a clear signal: an attacker can take full control of an entire system, often remotely and without any privileges. And we are talking about an environment that handles key financial, manufacturing or logistics processes. A single vulnerability can therefore mean halted operations, loss of data, or serious problems with compatibility with various systems and business continuity. Not to mention reputational damage.

SAP is software just as prone to vulnerabilities as any other. The difference is that the scale of risk is much greater – because it is a central system. New vulnerabilities appear practically every month, often accompanied by ready-made exploits that even an inexperienced attacker, a so-called script kiddie, can use. And security patches are implemented late or only partially. As a result, companies that “feel secure" are often the most vulnerable. Until you conduct penetration testing, you have no real insight into what your security truly looks like.

Definitely. It is the only effective way to find out where your real vulnerabilities are. Automated scanners are helpful, but in the case of SAP they are often not enough – many vulnerabilities require a manual approach and knowledge of the environment. A simple rule applies here: whoever finds the vulnerability first, wins. It is better to have our team of pentesters, ethical hackers, do it than someone with malicious intent.

At least once a quarter, and preferably periodically, after every major change or update. It is also important to combine automated scans with manual testing and analysis of configurations because a lot of issues result simply from incorrect settings. Administrator training is equally essential – many of the vulnerabilities we exploit as ethical hackers during tests are trivial configuration mistakes.

Let’s list some of the most dangerous SAP vulnerabilities – all from the year 2025 and all from the most critical vulnerability category (CVSS 10/9.x).

CVE-2025-31324 in NetWeaver Visual Composer – a zero-day Remote Code Execution vulnerability. Since March 2025, we have observed mass attacks against SAP production environments. The vulnerability allows an attack without authentication; a single malicious HTTP POST request is enough to upload a web shell and gain full control at the sidadm level. The exploit is publicly available, and popular NetWeaver 7.x versions are vulnerable.

CVE-2025-30012in SAP SRM Live Auction Cockpit. This is a very critical unauthenticated Java deserialization vulnerability in SRM_SERVER 7.14. I still frequently encounter environments running outdated Java applets. The vulnerability allows an attacker to achieve remote RCE by uploading a crafted binary object. The only remedy is immediate migration and removal of these components.

CVE-2025-42957 in SAP S/4HANA, an ABAP injection (CVSS 9.9) – affects virtually every version of S/4HANA (cloudon-premise). The attack is possible with minimal privileges. A vulnerability in RFC communication allows the creation of new administrative accounts and extraction of passwords, and even full system takeover. Confirmed attacks involving data leaks and ransomware have already been observed.

NetWeaver Portal – correlated deserialization vulnerabilities (CVSS 9.1). These allow attackers to execute custom Java code with administrator privileges, steal credentials, and manipulate data. In practice, they lead to a complete loss of control over the portal. The key CVEs (Common Vulnerabilities and Exposures) are: 42980, 42964, 42966, 42963.

These are not theoretical scenarios – in our work we have seen successful attacks exploiting each of these vulnerabilities.

Above all, regular penetration testing and vulnerability scanning should be performed – preferably by external teams, to view the environment with fresh eyes. Automation should be combined with manual work. SAP requires knowledge and intuition that no scanner can replace. Administrator and technical user training must not be neglected – most critical issues result from human error. Another good practice should be continuous monitoring and immediate response – for example, by enabling Security Audit Log and analyzing alerts.

And finally, the most important point: do not wait for an incident. In SAP environments, response time is critical. Every vulnerability discovered before an attack translates into real cost savings and reduced business risk.

SAP as a system is not unique in terms of vulnerabilities – what is unique is the scale of the impact an attack can have. It is often the system that runs the entire business – finance, supply chain, HR. Taking over SAP is a golden ticket for a cybercriminal. That is why I repeat: even if it seems that “this does not concern us” – this means that it does.

Regular pentesting, scans, training and rapid response to security bulletins are no longer an “IT fad" – they are an obligation for any company that takes business security seriously.

Interviewed by Miroslawa Huk

The Common Vulnerability Scoring System (CVSS) is an open platform for assessing the severity of computer security vulnerabilities that provides numerical scores from 0.0 to 10.0. The CVSS system, managed by the nonprofit FIRST, uses a set of metrics to measure vulnerabilities and their impact, helping organizations prioritize remediation efforts based on risk.

CVSS 10 is the highest possible score on the Common Vulnerability Scoring System, denoting a critical security vulnerability that is the most serious and requires immediate attention. Such a score indicates a vulnerability with a very high impact on system confidentiality, integrity and availability, often allowing remote code execution without authentication.